To the uninitiated, Linux is full of similar sounding acronyms and one of the most common questions asked is what is the difference ssh and sshd. The goal of this article is to bring you up to speed on this most important privacy tool. If you are looking for instructions on how to implement SSH, read Secur’s article on SSH.
Understanding the Difference Between ssh and sshd
At it’s core, SSH (Secure Shell) is a tool that encrypts identities, passwords, and data allowing:
- Secure system administration,
- File transfers, and
- Communication across untrusted networks.
Clear? I hope so. Next question…
What is an SSH Key?
SSH is an authentication mechanism called public key authentication that is based on cryptographic keys. SSH replaced the insecure .rhosts authentication, which was vulnerable to active network-level attacks and improved network security. The basics of SSH are:
- SSH keys have two parts.
- user keys: The keys used for user authentication .
- host keys: Used for authenticating hosts.
- One or more public keys may be configured as authorized keys;
- A private key corresponding to an authorized key serves as authentication to the server.
- Both authorized keys and private keys are stored in the .ssh directory in a user’s home directory.
- These keys function like super strong passwords, but they cannot be stolen from the network.
- The private key can be encrypted locally
SSH Keys and Risk Management
Many cybercrimes involve rogue employees utilizing SSH keys and criminals outright buying SSH keys from insiders; SSH pose a number of security risks as SSH keys often grant privileged access and the compromise of a single key grants illegitimate system access:
- Sheer volume of SSH keys seems to surprise everybody. Most large enterprises have hundreds of thousands of keys and don’t know how many.
- SSH keys lack provisioning/termination/oversight processes and policies.
- Many keys are unused and represent access that was never properly terminated.
- Nobody knows who owns the corresponding private keys.
- Unlike many password systems, there is no build in system to change SSH keys periodically.
- SSH keys can be compromised:
- Recent malware packages have been collecting SSH keys.
- SSH keys can be used to hide backdoors not likely to be ever discovered without SSH key management,
- Cannot tell if it was a backdoor or a key that had been forgotten.
- As SSH keys are used to in disaster recovery and backup systems, they can spread an attack throughout the server environment, representing a major cyberwarfare/ cyberterrorism threat.
- Improperly managed server keys expose hosts to network-level man-in-the-middle attacks.
What is OpenSSH?
OpenSSH is an open source implementation of the SSH protocol, delivered as source code or precompiled binaries under a BSD-style license.
OpenSSH is available via:
- Source code download at the project website.
- Distribution-specific package management systems; acquire the OpenSSH via the operating system specific package managers.
The OpenSSH client program:
- Is called ssh.
- Uses information in the .ssh directory in the user’s home directory.
- Gets system-wide configuration from /etc/ssh/ssh_config.
The OpenSSH server program:
- Is called sshd.
- Typically started during boot, and
- Reads its configuration from /etc/ssh directory.
- Stores its main configuration file in /etc/ssh/sshd_config.
SSH key management in relation to OpenSSH presents a number of issues:
- Lack of policies and provisioning/termination processes. Users are commonly allowed to self-provision keys for themselves (and anyone they like).
- Auditing SSH key based access is not possible due to the proprietary certificates supported by OpenSSH.
- They do not allow you to figure out which keys a server will accept by simply analyzing the server.
- There are no reliable audits/record of the specific keys a certificate authority key has signed; as such, the use of OpenSSH certificates for user authentication is not recommended
- Key locations are commonly configured in configuration files.
- Some organizations use custom-compiled versions that have non-standard paths compiled in for specifying the location of SSH keys.
- SSH keys may be stored in NFS (Network File System) volumes and a change may affect many hosts.
- User accounts may come from a number of servers, including:
- Active Directory,
- Network Information System
- LDAP (Lightweight Directory Access Protocol)
- Keys may be stored in LDAP.
- SELinux , enabled in many common Linux distributions, may limit the direct reading of authorized_keys files.
- Configuration file syntax and the meaning of certain options has changed many times between versions.
- Options in authorized_keys files are important for understanding what access is provided and for restricting the use of stolen/copied keys using from-stanzas.
How do I install OpenSSH server on Linux
Follow the steps below to install an ssh server on Linux:
- Open the terminal application.
- Type “sudo apt-get install openssh-server“
- Enable the ssh service with “sudo systemctl enable ssh“
- Start the ssh service with “sudo systemctl start ssh“
- Test it by login into the system using ssh user@server-name